[Owasp-leaders] OWASP charitable status (was: Re: OWASP Election)

Mike Goodwin mike.goodwin at owasp.org
Sun Oct 11 17:51:00 UTC 2015


Jim - thanks for that info. Also, I hope you enjoy the baths. I started
running today after very long layoff, so I could do with something similar
myself!

I guess my main point is that if we were to look at any structure that had
both a charity part and a non-charity part (of whatever type)  then I would
want to see the charity part as the parent and in control, rather than
vice-versa. That is the main aspect of the Mozilla model that I see as
important. Presumably some or all of the OWASP (charity) board would also
be on the board of the subsidiary to provide the governance to ensure the
subsidiary was working solely to support the OWASP mission.

As to whether we should actually *have *that kind of two-level structure at
all, I'm open minded. Things I would like to see in OWASP are:


   - OWASP employs people to work full time on key projects to give them
   dedicated focus and acceleration - think of how much support Joyent give to
   node.js, for example
   - The most obvious candidates to be these key projects are our flasgship
   projects but it could include other early-stage projects that were judged
   to have the right potential
   - The main website/wiki for OWASP and the key educational assets on it
   should also have a bigger full-time staff to make them genuinely world
   class. I'm thinking here of graphic designers, technical authors, web
   developers etc. to help get the most from the great content provided by all
   the subject matter expert contributors
   - All the above would probably need some more dedicated revenue raising
   effort to make it sustainable

If we can do that without restructuring, then great, let's save the legal
costs. I'm genuinely open minded on it.

Jim, I'm happy to join a call with some specialists - I'm not in a position
to contribute to paying for it from my own funds though :o( Don't you think
this should be something that this inquiry is something that should be
funded from OWASP funds though? It seems to me like a reasonable use of
such funds...

Mike






On 11 October 2015 at 12:16, Jim Manico <jim.manico at owasp.org> wrote:

> Mike,
>
> I think the main reason for Mozilla's corporate structure is because back
> in the day, 90% of their revenue came from Google advertising royalties and
> the IRS conducted an audit because of so much revenue coming from one
> company as well as the type of income (not a donation).
>
> So Mozilla set up a for-profit entity to collect these feels legally and
> then donated that profit back to the charity.
>
> I'm inclined to call the IRS or a legal expert in this area and ask a few
> questions about what is best for OWASP. If you would care to join me let me
> know. I appreciate your concern and perspective over this issue.
>
> And hello from Budapest, Hungry. Enough of this for one day, I'm off to
> the local thermal baths with my wife. Priorities, eye? Time to soak...
>
> Aloha,
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me in Rome for AppSecEU 2016!
>
> On Oct 11, 2015, at 11:41 AM, Mike Goodwin <mike.goodwin at owasp.org> wrote:
>
> If this is being investigated further,it would be worth considering having
> a 501(c)3 parent with a wholly owned corporation (i.e. not a trade
> association 501(c)6) as a subsidiary. This is the model that Mozilla has
> and to my non-legal mind, it makes more sense if we want to keep our
> charitable mission since the charity would be the sole shareholder of the
> corp and therefore control it and ensure it served the mission of the
> charity. Also it would remove any legal non-compete restrictions that Jim
> mentioned. Regardless of the exact nature of the trade
> associsation/corporation, I think the charity should be the parent and not
> the other way round.
>
> Mike
>
> On 11 October 2015 at 09:54, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Totally fair perspective, thanks for diving into this, Robert. If you
>> would like to take me up on my offer to join me in researching this more
>> with a professional in this area, let me know.
>>
>> I'm extremely biased towards exclusively remaining a charity, but I'm
>> happy to explore alternatives further.
>>
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me in Rome for AppSecEU 2016!
>>
>> On Oct 11, 2015, at 10:15 AM, Robert Shullich <robert.shullich at owasp.org>
>> wrote:
>>
>> It was not my intention to say go this way, but switching the current
>> organization to 501c6 exclusively doesn't have to be the only answer, I.e.
>> Doing Both a 501c6 and a 501c3
>>
>> As I said it will take a lot of resources, so I don't know if it would be
>> quick. We would need to know the pros & cons. And yes, it looks like
>> everyone else does it that way - but it doesn't mean that the configuration
>> is right for us. Status quo may end up being the better way.
>>
>> Who knows - I don't
>>
>> Sent from my iPhone
>> Robert Shullich, CPP, CISSP, CISM, GSEC, CIPP/US
>> Enterprise Security Architect
>> Tower Group Companies
>> Pro Box 026156
>> Brooklyn NY 11202
>> (201) 291-7432 (Direct)
>> (201) 221-8767 (Fax)
>> (908) 419-5417 (Mobile)
>>
>>
>> On Oct 11, 2015, at 3:12 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>> Robert "everyone is doing it" is a good reason to potentially research
>> this more, but at the same time it's a bit creepy to hear that phrase
>> uttered.
>>
>> Another thing to consider is that trade associations cannot at all
>> compete with it's members. Per my understanding we would have to at least
>> drop conference training since it competes with its members.
>>
>> While I think this is a horrifically bad idea, I am happy to facilitate
>> looking more closely into this. If you would like we can call the IRS
>> charity customer support or similar together and ask questions and report
>> back to the community. And since I've been quite aggressive in this
>> conversation I'd also be happy to hire a lawyer that specializes in this
>> area (at my personal expense) so we can ask pointed questions.
>>
>> Regards,
>> Jim
>>
>> •••••
>>
>> Profits
>>
>> Unlike 501(c)(3) charities, which can operate ancillary activities such
>> as festivals or bake sales for profit, a 501(c)(6) organization may not
>> oversee any profit-generating enterprises. The organization is also
>> prohibited from offering the same type of services or products sold by its
>> membership. For example, an association of optometrists may only work to
>> improve the industry as a whole. If the organization examines patients or
>> sells eyeglasses, it may lose its 501(c)(6) tax exemption.
>>
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me in Rome for AppSecEU 2016!
>>
>> On Oct 11, 2015, at 5:55 AM, Robert Shullich <robert.shullich at owasp.org>
>> wrote:
>>
>> In the USA "anyone" is not true.
>>
>> As a 501 c(3) anyone donating, may be eligible to deduct - within certain
>> limits and thresholds - under a Schedule A under charitable donations,
>> which means you also need to itemize your 1040.
>>
>> Corporate sponsors on the other hand would not be doing this. They would
>> most likely be deducting sponsorships as business expenses.
>>
>> Also, individuals - even if not a 501 c(3) - can deduct dues and probably
>> some donations as business expenses, which requires a Schedule C (if they
>> run a business) or as an individual, itemize on a schedule A but is subject
>> to anything over 2%
>>
>>
>> So in the USA I don't see corporate sponsorship being affected. I have no
>> idea why we would lose 25% of membership,
>>
>> As I said before, and no one seemed to have any opinion or comment -
>>
>> Is to consider making a 501c6 organization for OWASP for the membership
>> and keep the OWASP foundation mainly for receiving and managing donations
>>
>> The concept of having the membership as a 501c6 and a side foundation as
>> a 501c3 is the current structure of ASIS, (ISC)2, and ISACA, to name a few.
>> I don't see converting OWASP  to this model as impossible, but will take a
>> lot of work, budget, and filing new corporate papers as well as new tax
>> determination letters.
>>
>> As a 501c6 - OWASP would still be tax exempt non profit, but not a
>> charitable organization. The foundation would remain a charitable
>> non-profit and still collect donations, and should be able to pass most of
>> those donations over to the 501c6.
>>
>> I don't know what the advantages of doing this, but almost everyone else
>> is doing this, even universities, so there must be some benefit.
>>
>> Sent from my iPhone
>> Robert Shullich, CPP, CISSP, CISM, GSEC, CIPP/US
>> Enterprise Security Architect
>> Tower Group Companies
>> Pro Box 026156
>> Brooklyn NY 11202
>> (201) 291-7432 (Direct)
>> (201) 221-8767 (Fax)
>> (908) 419-5417 (Mobile)
>>
>>
>> On Oct 10, 2015, at 8:40 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>> wrote:
>>
>>
>> On Thu, Oct 8, 2015 at 2:36 PM, Jim Manico <jim.manico at owasp.org> wrote
>>
>> Larry Conklin wrote:
>>
>> Hey Jim can you please list what we would loose (we don't really gain
>>
>> anything but we lose a lot.) if we moved to a 501(c)(6) organization?
>>
>>
>> OWASP would lose 25% of of it's active membership, including myself, if it
>>
>> stopped being a charity. Also, anyone donating money to OWASP would lose
>> the
>>
>> ability to deduct those funds. Trade associations are mostly vendor run
>> and
>>
>> self funded. This is the exact opposite direction I think OWASP should be
>>
>> going in, IMO.
>>
>>
>> Apologies for joining this thread late; I'm way behind on personal emails.
>>
>>
>> If it's true that "anyone donating money to OWASP would lose the
>>
>> ability to deduct those funds", then my speculation is that OWASP would
>>
>> loose a significant portion of its corporate sponsored funding. At least
>>
>> that seems the logical conclusion if Jim's statement is true.
>>
>>
>> It seems that this is one part of the decision that hasn't been
>>
>> mentioned though.
>>
>>
>> -kevin
>>
>> --
>>
>> Blog: http://off-the-wall-security.blogspot.com/
>>
>> NSA: All your crypto bit are belong to us.
>>
>> _______________________________________________
>>
>> OWASP-Leaders mailing list
>>
>> OWASP-Leaders at lists.owasp.org
>>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151011/d031bfcb/attachment-0001.html>


More information about the OWASP-Leaders mailing list